<PAGE>
	<INCLUDE file="inc/header.tmpl" />

	<VAR match="VAR_SEL_PROTOCOLS" replace="selected" />
	<VAR match="VAR_SEL_ANYCONNECT" replace="selected" />
	<PARSE file="menu1.xml" />
	<PARSE file="menu2-protocols.xml" />

	<INCLUDE file="inc/content.tmpl" />

<h1>Cisco AnyConnect</h1>

<h2>How the VPN works</h2>

<p>The VPN is extremely simple, based almost entirely on the standard
HTTPS and <a href="https://www.rfc-editor.org/rfc/rfc4347.txt">DTLS</a>
protocols. You connect to the secure web server, authenticate using
certificates and/or arbitrary web forms, and you are rewarded with a
standard HTTP cookie named <tt>webvpn</tt>.</p>

<p>Some Cisco servers require you to execute a 'Cisco Secure Desktop'
trojan binary (intended for security scanning of the client system)
before authentication can complete; see <a href="csd.html">the CSD
page</a> for information on how to comply with this requirement, or
spoof it, with OpenConnect.</p>

<p>After authentication, you use the <tt>webvpn</tt> cookie
in an HTTP <tt>CONNECT</tt> request, and can
then pass traffic over that connection. IP addresses and routing
information are passed back and forth in the headers of that
<tt>CONNECT</tt> request.</p>

<p>Since <a href="http://sites.inka.de/~W1011/devel/tcp-tcp.html">TCP
over TCP is very suboptimal</a>, the VPN also attempts to use UDP
datagrams, and will only <em>actually</em> pass traffic over the HTTPS
connection if that fails. The UDP connectivity is done using Datagram
TLS, which is supported by OpenSSL.</p>

<h2>DTLS compatibility</h2>

<p><i><b>Note: DTLS is optional and not required for basic connectivity, as explained above.</b></i></p>

<p>Unfortunately, Cisco used an old version of OpenSSL for their server,
which predates the official RFC and has a few differences in the
implementation of DTLS.
</p>
<h3>OpenSSL</h3>
<p>Compatibility support for their "speshul" version of the protocol is
in the 0.9.8m and later releases of OpenSSL (and 1.0.0-beta2 and later).
</p>
<p><b>NOTE:</b> OpenSSL 1.0.0k, 1.0.1d and 1.0.1e have introduced bugs which
break this compatibility. See the <a href="https://lists.infradead.org/pipermail/openconnect-devel/2013-February/000827.html">thread</a> on the mailing list, which has patches for each.</p>

<p>If you are using an older version of OpenSSL which predates the
compatibility, you will need to apply this patch from OpenSSL CVS:</p>
<ul>
  <li><a href="http://cvs.openssl.org/chngview?cn=18037">http://cvs.openssl.org/chngview?cn=18037</a> (OpenSSL <a href="http://rt.openssl.org/Ticket/Display.html?id=1751&amp;amp;user=guest&amp;amp;pass=guest">RT#1751</a>)</li>
</ul>

For versions older than 0.9.8j, some generic DTLS bug fixes are also required:
<ul>
  <li><a href="http://cvs.openssl.org/chngview?cn=17500">http://cvs.openssl.org/chngview?cn=17500</a>  (OpenSSL <a href="http://rt.openssl.org/Ticket/Display.html?id=1703&amp;amp;user=guest&amp;amp;pass=guest">RT#1703</a>)</li>
  <li><a href="http://cvs.openssl.org/chngview?cn=17505">http://cvs.openssl.org/chngview?cn=17505</a> (OpenSSL <a href="http://rt.openssl.org/Ticket/Display.html?id=1752&amp;amp;user=guest&amp;amp;pass=guest">RT#1752</a>) </li>
</ul>
The username/password for OpenSSL RT is 'guest/guest'

<h3>GnuTLS</h3>

<p>Support for Cisco's version of DTLS was included in GnuTLS from 3.0.21 onwards (<a href="https://gitlab.com/nmav/gnutls/commit/fd5ca1afb7b223f1ce0c5330f2611996491c6aae">committed in <tt>fd5ca1af</tt></a>).</p>

	<INCLUDE file="inc/footer.tmpl" />
</PAGE>
